smb/client: fix out-of-bounds read in symlink_data()
Since smb2_check_message() returns success without length validation for
the symlink error response, in symlink_data() it is possible for
iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer
only contains the base SMB2 header (64 bytes), accessing
err->ErrorContextCount (at offset 66) or err->ByteCount later in
symlink_data() will cause an out-of-bounds read.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Ubuntu USN |
USN-8488-1 | Linux kernel vulnerabilities |
Ubuntu USN |
USN-8489-1 | Linux kernel (OEM) vulnerabilities |
Ubuntu USN |
USN-8490-1 | Linux kernel vulnerabilities |
Ubuntu USN |
USN-8491-1 | Linux kernel (OEM) vulnerabilities |
Ubuntu USN |
USN-8492-1 | Linux kernel vulnerabilities |
Thu, 11 Jun 2026 03:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* |
Mon, 01 Jun 2026 17:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
Sat, 30 May 2026 11:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
cvssV3_1
|
Fri, 29 May 2026 03:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-119 CWE-20 |
Fri, 29 May 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-125 | |
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Thu, 28 May 2026 12:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-119 CWE-20 |
Thu, 28 May 2026 10:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read. | |
| Title | smb/client: fix out-of-bounds read in symlink_data() | |
| First Time appeared |
Linux
Linux linux Kernel |
|
| CPEs | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Linux
Linux linux Kernel |
|
| References |
|
|
Status: PUBLISHED
Assigner: Linux
Published:
Updated: 2026-06-14T18:01:04.745Z
Reserved: 2026-05-13T15:03:33.103Z
Link: CVE-2026-46185
No data.
Status : Analyzed
Published: 2026-05-28T10:16:34.117
Modified: 2026-06-11T03:02:31.867
Link: CVE-2026-46185
OpenCVE Enrichment
Updated: 2026-05-30T13:00:12Z
Ubuntu USN